Impact
The issue is a subscriber‑based Cross Site Scripting (XSS) flaw that allows an attacker to inject arbitrary script into pages rendered for users with subscriber roles. The vulnerability arises from unsanitized input that is reflected in the plugin’s output, enabling the execution of malicious code in the victim’s browser. An exploited XSS can lead to credential theft, session hijacking, or defacement of the site while affecting the confidentiality, integrity, and availability of the web interface.
Affected Systems
This flaw affects the WordPress FV Flowplayer Video Player plugin from FolioVision when its version is older than 7.5.51.7212. Any WordPress installation that has this plugin installed and is below the specified version is at risk. The vendor’s advisory explicitly lists these product versions as affected.
Risk and Exploitability
The CVSS vector yields a score of 6.5, indicating moderate severity. The EPSS score of less than 1% suggests a low probability that the flaw has already been exploited in the wild, and the vulnerability is not recorded in the CISA KEV catalogue. Nonetheless, because the attack vector is likely a web page that renders plugin output to subscribers, an attacker who can inject content via the plugin's settings or media uploads can trigger XSS. Consequently, the risk remains significant for sites that rely heavily on subscriber content sent through the plugin.
OpenCVE Enrichment